# Instruction Power Differences

Supported setups:

SCOPES:

* OPENADC
* CWNANO

PLATFORMS:

* CWLITEARM
* CWLITEXMEGA
* CWNANO

This tutorial will introduce you to measuring the power consumption of a device under attack. It will demonstrate how the power consumption of a target changes based on what operations it's doing.

If you haven't yet, you should probably complete Tutorial B1, which introduces building firmware, programming the target, and scripting.

In [None]:
SCOPETYPE = 'OPENADC'
PLATFORM = 'CWLITEARM'

## Setting up Firmware

In this tutorial, we will once again be working off of the simpleserial-base firmware.

Let's start by creating a new project and building our firmware:

In [None]:
%%bash
cd ../hardware/victims/firmware/
mkdir -p simpleserial-base-lab2 && cp -r simpleserial-base/* $_
cd simpleserial-base-lab2

In [None]:
CRYPTO_TARGET = "NONE"

In [None]:
%%bash -s "$PLATFORM" "$CRYPTO_TARGET"
cd ../hardware/victims/firmware/simpleserial-base-lab2
make PLATFORM=$1 CRYPTO_TARGET=$2

As in the previous tutorial, we'll need to modify our firmware. Navigate to the `get_pt()` function:
```C
uint8_t get_pt(uint8_t* pt)
{
	/**********************************
	* Start user-specific code here. */
	trigger_high();
	
	//16 hex bytes held in 'pt' were sent
	//from the computer. Store your response
	//back into 'pt', which will send 16 bytes
	//back to computer. Can ignore of course if
	//not needed
	
	trigger_low();
	/* End user-specific code here. *
	********************************/
	simpleserial_put('r', 16, pt);
	return 0x00;
}

```

To start off, we'll add a simple `for` loop. We'll start off by looking at how the power trace changes based on how long the loop is. Start with a loop (make sure your variables are volatile) that runs from 0 to 4:

```C
for(volatile int i = 0; i < 5; i++);
```

Next, we'll move on to actually capturing and displaying the power trace.

## ChipWhisperer Setup

Setup for this tutorial will be pretty similar to Tutorial B1, so we'll skip most of it by calling some helper scripts. This setup should work for most targets, but if you're using a target other than the XMEGA or STM32F3 (CWLite w/ Arm), you may need to call a different script or do additional setup (like programming the target with an external programmer). See the wiki page for your target for more information.

If you're curious about what's happening in these helper scripts, they're typically located in the `Helper_Scripts` folder.

In [None]:
%%bash -s "$PLATFORM" "$CRYPTO_TARGET"
cd ../hardware/victims/firmware/simpleserial-base-lab2
make PLATFORM=$1 CRYPTO_TARGET=$2

In [None]:
%run "Helper_Scripts/Setup_Generic.ipynb"

By default, the scope will capture many more traces than we need, so we'll reduce that to 1000.

In [None]:
scope.adc.samples = 1000
fw_path = '../hardware/victims/firmware/simpleserial-base-lab2/simpleserial-base-{}.hex'.format(PLATFORM)

Programming is the same as in the last part:

In [None]:
cw.program_target(scope, prog, fw_path)

## Capturing Traces

In [None]:
print(scope)

Like before, most of this should look familiar from the last tutorial. We'll start by programming the target, then capturing a trace, and finally displaying it using bokeh. We don't really care about what the target responds with this time, so we won't do anything with what we read back.

In [None]:
import holoviews as hv
hv.extension('bokeh')
import numpy as np
ktp = cw.ktp.Basic()
key, text = ktp.next()  # manual creation of a key, text pair can be substituted here

trace = cw.capture_trace(scope, target, text)
hv.Curve(trace.wave).opts(width=600, height=600)

## Further Modifications

You might be able to tell where our loop is happening, but to make sure, let's modify it and see how the trace changes. Change when the loop ends and save the file. Rebuild the file:

In [None]:
%%bash -s "$PLATFORM" "$CRYPTO_TARGET"
cd ../hardware/victims/firmware/simpleserial-base-lab2
make PLATFORM=$1 CRYPTO_TARGET=$2

Reprogram the target:

In [None]:
cw.program_target(scope, prog, fw_path)

And capture a new trace:

In [None]:
trace2 = cw.capture_trace(scope, target, text)

In [None]:
hv.Curve(trace2.wave).opts(width=600, height=600)

It should now be very obvious where our loop is happening. Verify that the number of similar looking power spikes matches how many times the loop is run. Now let's take a look at how different operations affect power traces:

## Comparing Operations

To make things easy on us, let's select operations that we would expect to have very different power traces. One easy metric to base your decision on is how long the associated instructions take to execute (which is typically documented either in the datasheet, or in the core's documentation). For example, on XMEGA we'll compare adding (1 cycle) with multiplying (2 cycles).

### XMEGA

### STM32F3

Our reference for the STM32F3 (which has an Arm Cortex M4 CPU) will the [Cortex M4 Instruction Set Summary](http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0439b/CHDDIGAC.html). As we can see, the multiply instruction takes 1 cycle to execute, while the divide instruction takes between 2 and 12. These instructions also have analogous C operations (* and /) so it will be easy to get the compiler to insert them.

This is a pretty drastic difference, so the two instructions should look very different. Change your loop so that it preforms multiplications each time through:

```C
volatile int b = 0xAFFA;
for (volatile int i = 0; i < 10; i++)
    b *= 11;
```

### Capture: Operation 1

Now rebuild and capture another trace:

In [None]:
%%bash -s "$PLATFORM" "$CRYPTO_TARGET"
cd ../hardware/victims/firmware/simpleserial-base-lab2
make PLATFORM=$1 CRYPTO_TARGET=$2

In [None]:
cw.program_target(scope, prog, fw_path)

In [None]:
trace3 = cw.capture_trace(scope, target, text)
hv.Curve(trace3.wave).opts(width=600, height=600)

### Capture: Operation 2

Replace your first operation with your second. Save the file, rebuild, program, and capture another trace.

In [None]:
%%bash -s "$PLATFORM" "$CRYPTO_TARGET"
cd ../hardware/victims/firmware/simpleserial-base-lab2
make PLATFORM=$1 CRYPTO_TARGET=$2

In [None]:
cw.program_target(scope, prog, fw_path)

In [None]:
trace4 = cw.capture_trace(scope, target, text)
hv.Curve(trace4.wave).opts(width=600, height=600)

Compare the traces. Is the one that you expected to be longer actually longer?

The longer operation is typically more complicated than the other operation, which means we would expect it to have higher power consumptions as well. Do you also see this behaviour in the traces you captured?

## Disconnecting from ChipWhisperer

Now that we're done with the tutorial, we'll need to disconnect from ChipWhisperer, so that we can connect to it in a different tutorial:

In [None]:
scope.dis()
target.dis()

## Conclusion

In this tutorial you have learned how power analysis can tell you the operations being performed on a microcontroller. In future work we will move towards using this for breaking various forms of security on devices. In particular, Tutorial B3-1 will examine how we can use this information to exploit a password check.